Writing SearchMash, there’s a lot of security features I wish I had access to.
- One way access to frames
- Disabling scripting for frames
- Turn off cookies for Java
- Signed scripts
My big headache is running external, untrusted HTML in a frame that has full access to my applet. There should be a way to set a frame with programmatic content, but not allow any scripts in it access to other frames. I believe that the security=restricted frame attribute might allow this in IE, but it’s not supported by the other browsers.
I’d be happy if I could turn off scripting entirely for a particular frame. This is what my blacklisting code does, but it seems like it would be a lot easier and more robust to do it at the browser level.
I don’t want my page fetches to send cookies, but there doesn’t seem to be any way to disable this when running an applet inside the browser.